Events

Press

The Consequences of an Incomplete Threat Model

May 8, 2017 /
Paul Drapeau

Recently, I had the opportunity to do nothing for a day but sit on a beach, drink a few beers and watch the world go by. I was watching some birds that seemed to dive into the ocean, all day long, and kept coming up with fish. To myself (ok, out loud to my wife who just wanted to read a book) I said: “Imagine how much it sucks to be one of those fish. You spend your whole life swimming around worried about getting eaten by bigger fish.Then you get killed by something from the ‘sky,’ which you probably don’t even know exists as a dimension to be worried about.”

(I’m making a lot of assumptions here about fish and their world view but stay with me.)If you make the reasonable leap that something like that is the true perspective of these unfortunate fish, they met their untimely demise from a threat they couldn’t possibly predict. The world as they know it is full of potential threats, but they exist in the water with them. Bigger fish, octopus, jellyfish, etc., all pose potential lethal threats, but I’m sure, over time, if you’re small and you can swim fast, dealing with those things is well built into your evolved threat model and controls.

Then BOOM, something comes out of the sky and you’ve got yourself a serious incident on your hands. These birds weren’t dropping the latest exploit or attack technique, they were using a tried and true method that works. This method works because their target simply isn’t conscious of the fact that a threat could come from outside their world.There’s a valuable infosec lesson here: always be aware of the potential that any given threat model is incomplete. There are the vulnerabilities, attacker techniques and attack vectors you know and think about every day. The ones that have been used to attack you in the past and the ones that have been used to compromise your friends that swim in the same “school” are the vulnerabilities that tend to come up in “checklist” pentests. Is there an entire class of attacks or an entire dimension you’re not considering? That is probably where the most lethal threats are cruising along waiting to make you their next lunch. I’ve also seen a lot of National Geographic and Animal Planet shows about brightly colored predators with their own light sources, giant sticky tentacles, poison darts, and huge teeth. I’ve never seen a program on these little, white sea birds, but I watched them kill a ton of fish in just one day on just one beach. You don’t need to make the news to be an effective attacker. In many cases, the most effective attackers don’t make the news. The most lethal potential threats are not likely the ones grabbing all of the attention, they are the ones that have been there all along, willing and ready to attack you in ways you just aren’t considering at the moment.This is an area where we all can step up our game. While it’s nice to point out the latest big fish or elaborately camouflaged super predator (see Shadowbrokers, Vault7, named vulnerability), we need to always keep in mind the other, more common, vectors attackers might use.

I’ve dealt with a lot of potential incidents involving credential phishing emails. There isn’t a lot “anti-malware” solutions have to say about this threat vector. That’s one reason why visibility into who in the environment may have communicated with the IP addresses hosting the fake login forms is so critical. If your threat landscape is an ocean of malware, you miss the bird phishing your credentials with a simple HTTP POST. IT shops are getting better at defending against traditional malware and related threats but while we’re focused on that we may still be missing some really basic threats that could hurt. Basic hygiene and visibility does wonders in this case. Security controls such as 2FA and better logging shouldn’t be forgotten while we chase the most exciting predators.Malware, ransomware, three letter agencies, and “non-malware” attacks are the big shiny fish with huge teeth but remember, you need to consider threats from many other dimensions when building models and programs. If we do that, we are better defenders, because we can often find a dimension we’re missing. Knowing your environment well is the the most powerful skill a defender can bring to the table but you need to have an understanding of the other environments you interact with and what additional risks come from these interactions. The scary fish in the news probably lives far on the other side of the sea but the bird above you is going to eat you from the sky if you don’t keep your eyes open.